Aegis: Security Policy in Depth
Cyberattack Attribution as Empowerment and Constraint
Fri, 15 Jan 2021 10:15:34 -0500

Pdf version

When a state seeks to defend itself against a cyberattack, must it first identify the perpetrator responsible£ The US policy of “defend forward” and “persistent engagement” in cyberspace raises the stakes of this attribution question as a matter of both international and domestic law.

International law addresses in part the question of when attribution is required. The international law on state responsibility permits a state that has suffered an internationally wrongful act to take countermeasures, but only against the state responsible. This limitation implies that attribution is a necessary prerequisite to countermeasures. But international law is silent about whether attribution is required for lesser responses, which may be more common. Moreover, even if states agree that attribution is required in order to take countermeasures, ongoing disagreements about whether certain actions, especially violations of sovereignty, count as internationally wrongful acts are likely to spark disputes about when states must attribute cyberattacks in order to respond lawfully.

Under domestic US law, attributing a cyberattack to a particular state bolsters the authority of the executive branch to take action. Congress has authorized the executive to respond to attacks from particular countries and nonstate actors in both recent cyber-specific statutory provisions and the long-standing Authorizations for Use of Military Force (AUMFs) related to 9/11 and the Iraq War. Attribution to one of these congressionally designated sources of attack ensures that the executive branch need not rely solely on the president’s independent constitutional authority as commander in chief when responding, but instead can act with the combined authority of Congress and the president.

Common across international and US law is the fact that cyberattack attribution serves as both a potential source of empowerment and a potential constraint on governmental action. In both systems, attribution of a cyberattack to another state bolsters the US executive branch’s authority to respond, and conversely, the absence of attribution can place the executive on less certain legal footing.

This essay proceeds in three parts. It first explains cyberattack attribution and attribution’s interaction with existing international law on the use of force and state responsibility. The next section turns to the US “defend forward” policy and explores how it may spur disagreements about when states must attribute cyberattacks, even if they agree on the general legal framework set out in the first part. The essay then briefly addresses US domestic law and explains how congressional authorizations for certain military actions depend on attribution. The conclusion discusses how attribution can shape, not just be shaped by, the international and domestic legal systems.

U.S. Cyber Command's First Decade
Tue, 08 Dec 2020 10:53:01 -0500

United States Cyber Command (USCYBERCOM) turned ten years old in 2020. It is a unique institution—a military command that operates globally in real time against determined and capable adversaries and yet never fires a shot or launches a missile. The Command comprises an amalgam of military, intelligence, and information technology capabilities that came together into its present shape more by design than by fortuitous chance. That design, however, was itself a work in progress.

The Command’s first decade built upon the notion that states must operate in cyberspace at scale and in real time. “Operating” means that key national systems and data have to be “fought” like a weapons platform; in other words, they enable and execute critical sovereign functions and thus cannot be switched off or managed as discrete and individual devices. Indeed, each system and device affects the whole, and that whole is now immense. Only operational processes can harness the military’s and the government’s limited talent and resources in ways that can accomplish such global tasks on behalf of the nation, and only military components have the training, expertise, equipment, and resources to fulfill key elements of that requirement full-time and without interruption.

That vision dawned on military and civilian leaders years before the establishment of USCYBERCOM. The Command then refined the vision through actual operations. USCYBERCOM was by no means a passive medium upon which other government and industry actors imposed their visions. On the contrary, the Command’s leaders, experts, and experiences influenced the course of discussions and resulting decisions. The evolution began two decades back, as key decisions were made that framed the institutional context for USCYBERCOM. This essay tells this story, from the recognition in the 1990s that so-called “strategic information warfare” was of growing importance, to the 2009 decision to establish a unified command, to the critical roles USCYBERCOM has played of late in combatting ISIS propaganda and defending national elections. USCYBERCOM’s history is interesting not only for what it says about military innovation and bureaucratic change in the US government, but also for the insight it offers on the development of other military cyber components among America’s allies, partners, and adversaries.

Cyberattacks and the Constitution
Thu, 12 Nov 2020 08:01:14 -0500

The United States has one of the world’s strongest and most sophisticated capabilities to launch cyberattacks against adversaries. How does the US Constitution allocate power to use that capability£ And what does that allocation tell us about appropriate executive-legislative branch arrangements for setting and implementing cyber strategy£

The term “cyberattack” is often used loosely. In this essay, I define a cyberattack as action that involves the use of computer code to disrupt, degrade, destroy, or manipulate computer systems or networks or the information on them. I am not including cyber operations that are purely for information gathering or to map foreign networks in preparation for future cyberattacks.

This definition of cyberattack still includes a wide array of operations. On one end are attacks on computer systems that have effects—including kinetic, sometimes violent ones—outside those systems. Examples include the Stuxnet attack that brought down some of Iran’s nuclear centrifuges and the 2017 NotPetya attack, widely attributed to Russia, that targeted major Ukrainian companies and government agencies but spread widely and disabled computers—as well as commerce dependent on them—around the globe. At the other end are the types of low-level and often discrete attacks that appear to be contemplated by the United States “Defend Forward” concept. Examples include infiltrating adversary networks and deleting or corrupting data, or US Cyber Command’s operations that disrupted the networks of Russia’s infamous “Internet Research Agency” troll farm in the run-up to the 2018 US midterm elections. There are of course many possibilities in between.

This essay offers a way to think about the constitutional distribution of powers between the president and Congress governing the use of US cyberattack capabilities. Some commentators and analysts view this problem almost reflexively as a “war powers” issue—a term I use throughout this essay to refer to the political branches’ respective constitutional authority over the hostile use of military force. That is especially true as one moves up the scale of expected damage. A corollary to that constitutional issue is a statutory question: Namely, how should the 1973 War Powers Resolution, which was intended to restrict extensive military hostilities without congressional approval, be interpreted or amended to account for cyberattacks£ The imprecise rhetoric of “cyberwar,” “cyber conflict,” and “cyberattacks” probably contributes to this legal framing.

But many—and probably almost all—cyberattacks undertaken by the United States cannot plausibly be viewed as exercises of war powers. Indeed, the entire Defend Forward concept appears to involve low-level operations well below the “use of force” threshold under international law and far short of the types of operations that have typically triggered war powers analysis under domestic constitutional law.

This essay argues that as a conceptual and doctrinal matter, cyberattacks alone are rarely exercises of war powers—and they might never be. They are often instead best understood as exercises of other, nonwar military powers, foreign affairs powers, intelligence powers, and foreign commerce powers, among other constitutional powers not yet articulated. Although this more fine-grained and fact-specific constitutional conception of cyberattacks leaves room for broad executive leeway in some operational contexts, this discretion is often the result of congressional delegation or acquiescence as opposed to any inherent constitutional authority on the part of the president. At the same time, these alternative understandings of cyberattacks also contain a strong constitutional basis for Congress to pursue legislative regulation of the procedural and substantive parameters governing cyber operations.

Beyond those descriptive claims, this essay argues that a rush to treat cyberattacks as implicating war powers misguides criticisms about the role Congress is or is not playing in regulating cyberattacks. This is because participants in war powers debates often bring intense and polar normative stances about the appropriate institutional arrangements governing the exercise of those powers. On one end are those who prize executive speed, agility, and secrecy—and therefore presidential freedom from congressional interference. On the other end are those who see formal congressional approval for military campaigns as being of paramount constitutional importance. The latter, who want to roll back presidential unilateralism, often see cyberattacks as yet another problematic means by which presidents can evade proper congressional checks on war. But in their focus on congressional approval for military intervention, and by extension for at least some high-intensity cyberattacks, those critics may overlook other institutional arrangements that are better tailored to US cyber strategy, especially to the sort of lower-intensity activities that make up Defend Forward. They also may overlook the many important ways in which Congress is already actively involved in shaping and facilitating that strategy.

Due Diligence and the U.S. Defend Forward Cyber Strategy
Tue, 20 Oct 2020 11:06:00 -0400

As its name implies, the 2018 US Department of Defense Defend Forward strategy is principally reactive. The strategy assumes that the United States will continue to suffer harm from competitors and malign actors through cyberspace. Accordingly, it outlines US reactions in order to preempt threats, defeat ongoing harm, and deter future harm. Previous strategies have instructed similarly, but the 2018 National Cyber Strategy purports to reflect a strategic evolution in its overt commitment to countering cyber harm at its origin and to doing so not intermittently or episodically but on a “day-to-day” basis. Defending forward involves a wide range of cyber activities, but a defining feature will likely be routine nonconsensual cyber operations in the networks of hostile foreign governments and private actors.

These operations are sure to require technical, doctrinal, political, and even diplomatic reevaluations. But they also call for review of supporting international legal justifications. While a host of international law doctrines will be relevant to Defend Forward, the principle of due diligence is likely to play a significant role, in light of both the reactive nature of Defend Forward and the interconnected yet shadowy domain of cyberspace.

Well before the Defend Forward strategy or even cyberspace itself emerged, states developed the international law obligation of due diligence as an important regulation of international relations. In the incomplete and fragmented international legal system, due diligence has served as a general policing regime to manage and redress harm between states. At its most general level, due diligence requires states to take reasonable measures to put a stop to activities, whether private or public, within their borders that cause serious adverse consequences to other states. Breaches of due diligence do not require that harm be attributed to a state, only that a state knew of and failed to quell harm coming from its territory. International tribunals and publicists have repeatedly confirmed that breaches of due diligence entitle injured states to relief and reparations from offending states. Just as important, breaches of due diligence authorize victim states to react with a wide range of measures of self-correction from nondiligent states, including resorting to countermeasures.

This essay evaluates due diligence in light of the Defend Forward cyber strategy. It begins with a brief review of due diligence as an obligation of general international law, highlighting a broad base of support from international tribunals and commentators for due diligence as a freestanding rule of conduct. It then recounts recent efforts to apply due diligence to activities in cyberspace. Next, it reviews past US foreign relations experience with due diligence, including its invocation in international litigation and its use to generate favorable diplomatic outcomes. It concludes that positive US diplomatic and legal precedent counsel in favor of renewed recognition of due diligence as an obligation under general international law. It then examines how conceptions of due diligence may complement the Defend Forward strategy in cyberspace. Specifically, it suggests how the United States might best tailor a view on due diligence specific to activities in cyberspace and offer doctrinal refinements that might be acknowledged in light of the US Defend Forward strategy.

Covert Deception, Strategic Fraud, and the Rule of Prohibited Intervention
Thu, 24 Sep 2020 12:15:06 -0400

If information is power, then the corruption of information is the erosion, if not the outright usurpation, of power. This is especially true in the information age, where developments in the technological structure and global interconnectedness of information and telecommunications infrastructure have enabled states to engage in malicious influence campaigns at an unprecedented scope, scale, depth, and speed. The Digital Revolution and the attendant evolution of the global information environment have intensified, if not generated, what one expert describes as “one of the greatest vulnerabilities we as individuals and as a society must learn to deal with.” The relative explosion of digital information and communications technology (ICT) and the modern information environment it has enabled “have resulted in a qualitatively new landscape of influence operations, persuasion, and, more generally, mass manipulation.”

As evidenced by Russia’s ongoing efforts at election interference in the United States and Europe, the role of information conflict in global strategic competition has evolved and taken on new weight. A number of revisionist states, Russia and China chief among them, have fully embraced the new reality of the modern information environment, deftly adapting their capabilities and strategies to exploit the societal vulnerabilities it exposes. They have incorporated sustained, hostile influence campaigns as a central part of their destabilizing strategies to cause or exacerbate societal divisions, disrupt political processes, weaken democratic institutions, and fracture alliances, all with a broader aim of undermining the rules-based international order and gaining competitive advantage.

The anchor for these campaigns is the extensive and deep use of ICTs to conduct covert deception and disinformation operations at an extraordinary scale. Deployed at a strategic level, malign influence and disinformation operations have the very real potential to undermine and disrupt a targeted state’s independent exercise of core governance prerogatives. Along with the advent of hostile cyber operations, these ICT-enhanced deception campaigns have raised challenging questions about whether and how international law applies to these novel state interactions.

This paper contends that the customary international law prohibition against intervening in the internal and external affairs of another state provides an important yet underdeveloped legal tool to help address these threats. It considers the rule’s applicability to the murky and evolving landscape of information conflict and argues for an interpretation of the non-intervention rule better suited to the realities of the information age, where strategic covert deception and disinformation campaigns are being deployed at an unprecedented scale to subvert states’ free will over their political, electoral, and public policy prerogatives. First, it explains the scope and global scale of the covert deception and disinformation problem. The paper then walks through the international law rule of prohibited intervention, the sovereign interests it shields, and the ill-defined concept of coercion that has evolved to demarcate the line between legitimate influence and internationally wrongful intervention. Outside of the cyber context, the law frequently regulates deception either directly in the form of fraud-based proscriptions, or indirectly by making deception a constructive substitute for force or coercion elements of other crimes. These are foundational precepts that should inform states’ understanding and application of the non-intervention rule in the fast-evolving context of cyber and information conflict. The paper concludes by evaluating how to apply this understanding of nonintervention and reflecting on the role of international law in maintaining a rules-based international order in the information age.

Persistent Aggrandizement£ Israel's Cyber Defense Architecture
Mon, 31 Aug 2020 16:23:56 -0400

Since 2011, the Israeli government has worked to centralize and streamline cyber defense authorities and responsibilities. It has established a new civilian national security agency to oversee cybersecurity preparedness and monitor and respond to cyber threats. The government has also advanced comprehensive draft legislation in broad consultation with a variety of relevant stakeholders from the private sector and civil society to regulate the authorities and operations of that new agency.

This paper compares the Israeli cyber defense architecture and recent reforms with key concepts in current U.S. strategy: Defend Forward and Persistent Engagement. It finds that the Israeli equivalent to Defend Forward is far less regulated than its U.S. parallel, and that the Israeli version of Persistent Engagement at home allows domestic action and harnesses the private sector in ways that the U.S. approach does not contemplate. The paper also briefly evaluates the Israeli reforms. It argues that the reforms are best described as persistent government aggrandizement, at the expense of the private sector and civil liberties.

Defend Forward and Cyber Countermeasures
Wed, 12 Aug 2020 09:39:35 -0400

When a state suffers an internationally wrongful act at the hands of another state, international law allows the injured state to respond in a variety of ways. Depending on the nature, scope, and severity of the initial wrongful act, lawful responses can range from a demand for reparations in response to a low-level violation to a forcible act of self-defense in response to an armed attack. Countermeasures offer an additional way for a state to respond to an internationally wrongful act. Countermeasures are acts that would in general be considered internationally wrongful but are justified to address the wrongdoing state’s original international law violation. The goal of countermeasures is to prompt the wrongdoing state to cease its legal violation. The countermeasures regime can help deter international law violations ex ante and mitigate those violations ex post, offering an avenue by which states can—at least in theory—de-escalate disputes.

As states increasingly employ cyber tools to commit hostile acts against their adversaries, countermeasures are poised to play a growing role in interstate relations. Many interstate activities in cyberspace fall below the use of force or armed attack threshold but nevertheless may violate international law and warrant responses from the targeted states. Understanding when and how states lawfully may deploy countermeasures and which customary limits govern the use of countermeasures is critical for states operating in the cyber arena, not only to understand their own options when injured, but also to anticipate the responses that their cyber activities may trigger from other states.

This essay explores the role that countermeasures can play in the U.S. cyber strategy known as Defend Forward, which calls for U.S. forces to “disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” The United States appears to believe that most, if not all, of the Defense Department’s (DOD’s) activities under this strategy are consistent with international law. But it is possible that some of DOD’s activities might be legally controversial, particularly because the content of some customary international law norms, such as the norm of nonintervention, is both vague and contested. As a result, it is worth evaluating whether and when DOD might be able to defend such actions as countermeasures under international law.

The essay first explains the international law of countermeasures and examines how it has been interpreted in the cyber context. It finds that because some traditional legal requirements of countermeasures do not apply naturally to cyberspace, states are developing a lex specialis of cyber countermeasures. The essay then considers how the U.S. government could justify as cyber countermeasures certain actions taken under the Defend Forward strategy and do so in ways that do not appear unlawful to other states. It concludes by identifying how key actors can develop the law of cyber countermeasures in a direction consistent with Defend Forward.

The Domestic Legal Framework for U.S. Military Cyber Operations
Wed, 05 Aug 2020 11:42:01 -0400

Conventional wisdom holds that Congress has abandoned its duty regarding the government’s war powers. It is not hard to understand why. Between the agelessness and flexibility of the 2001 and 2002 Authorizations for Use of Military Force (AUMFs) and periodic unilateral uses of military force in Libya, Syria, and Iraq, the executive branch appears to act largely at its own discretion when it comes to conventional military operations. But matters are different in the cyber domain. With little fanfare and less public notice, Congress and the executive branch have cooperated effectively over the past decade to build a legal architecture for military cyber operations.

The development of this legal regime has coincided with innovations in the Pentagon’s cyber strategy, in particular its commitment to the “defend forward” operational model. Premised on the idea of “persistent engagement” with adversaries, defend forward calls for proactive and continuous U.S. military cyber operations, including on foreign networks and in the gray zone. U.S. Cyber Command’s efforts to disrupt Russian hackers and cyber trolls during the 2018 midterm elections provide a recent example of the defend forward posture in action. This operation and others like it raise pressing questions about the legal authority for and constraints on military cyber activity. For example, does the executive branch have specific statutory authorization to conduct the operations defend forward calls for, or must it lean on the existing AUMFs and Article II£ How does the War Powers Resolution constrain the President in the cyber domain£ Who within the government must authorize out-of-network military cyber operations£ And what information must the executive branch provide to Congress and the public regarding military cyber activity£

Lawmakers have answered these questions by creating a framework comprised of four elements: (1) Authorization rules allocating decision-making authority between Congress and the executive branch; (2) Process rules governing the decision-making process within the executive branch; (3) Transparency rules that compel the executive branch to share information with Congress; and (4) Substantive rules that prohibit certain actions outright. This paper walks through each element, emphasizing how lawmakers have interpreted existing law and developed new law to address the particular challenges to which cyber conflict gives rise and create a functional yet accountable legal regime. The resulting structure is far less familiar to most observers than are its cousins—those architectures associated with conventional military operations and intelligence activities—but is no less important.

The Cyberlaw Podcast: Has Apple opened a new legal front against the FBI—without telling it£
Wed, 27 May 2020 11:23:15 -0400

Our interview is with Mara Hvistendahl, investigative journalist at The Intercept and author of a new book, The Scientist and the Spy: A True Story of China, the FBI, and Industrial Espionage, as well as a deep WIRED article on the least known Chinese AI champion, iFlytek. Mara’s book raises questions about the expense and motivations of the FBI’s pursuit of commercial spying from China.

In the News Roundup, Gus Hurwitz, Nick Weaver, and I wrestle with whether Apple’s lawsuit against Corellium is really aimed at the FBI. The answer looks to be affirmative, since an Apple victory would make it harder for contractors to find hackable flaws in the iPhone.

Germany’s top court ruled that German intelligence can no longer freely spy on foreigners – or share intelligence with other western countries. The court seems to be trying to leave the door open to something that looks like intelligence collection, but the hurdles are many. Which reminds me that I somehow missed the 100th anniversary of the Weimar Republic.

There’s Trouble Right Here in Takedown City. Gus lays out all the screwy and maybe even dangerous takedown decisions that came to light last week. YouTube censored epidemiologist Knut Wittkowski for opposing lockdown. It suspended and then reinstated a popular Android podcast app for the crime of cataloging COVID-19 content. We learned that anyone can engage in a self-help right to be forgotten with a bit of backdating and a plagiarism claim. Classical musicians are taking it on the chin in their battle with aggressive copyright enforcement bots and a sluggish Silicon Valley response.

In that climate, who can blame the Supreme Court for ducking cases asking for a ruling on the scope of Section 230£ They’ve dodged one already, and we predict the same outcome in the next one.

Finally, Gus unpacks the recent report on the DMCA from the Copyright Lobbying Office – er, the Copyright Office.

With relief, we turn to Matthew Heiman for more cyber and less law. It sure looks like Israel launched a disruptive cyberattack on Iranian port facility. It was probably a response to Iranian cybe-rmeddling with Israeli water systems.

Nick covers Bizarro-world cybersecurity: It turns out malware authors now can hire their own black-market security pentesters.

I ask about open-source security and am met with derisive laughter, which certainly seems fair after flaws were found in dozens of applications.

I also cover new developments in AI. And the news from AI speech imitation is that Presidents Trump and Obama have fake-endorsed Lyrebird.

Gus reminds us that most of privacy law is about unintended consequences, like telling Grandma she’s violating GDPR by posting her grandchildren's photos without their parents' consent.

Beerint at last makes its appearance, as it turns out that military and intelligence personnel can be tracked with a beer enthusiast app.

Finally, in the wake of Joe Rogan’s deal with Spotify, I offer assurances that the Cyberlaw Podcast is not going to sell out for $100 million.

Download the 317th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Discourse of Control and Consent Over Data in EU Data Protection Law and Beyond
Fri, 10 Jan 2020 08:00:01 -0500

Across the United States and Europe, the act of clicking “I have read and agree” to terms of service is the central legitimating device for global tech platforms’ data-driven activities. In the European Union, the General Data Protection Regulation has recently come into force, introducing stringent new criteria for consent and stronger protections for individuals. Yet the entrenched long-term focus on users’ control and consent fails to protect consumers who face increasingly intrusive data collection practices.

The Discourse of Control and Consent Over Data in EU Data Protection Law and Beyond by Hoover Institution on Scribd

Feed Fetched by RSS Dog.